On 9/29/22 FinCEN issued the very anticipated Final Rule establishing a beneficial ownership information reporting requirement, pursuant to the bipartisan Corporate Transparency Act (CTA). The Final Rule will require most corporations, limited liability companies, and other entities created in or registered to do business in the United States to report information about their beneficial ownership. The Beneficial Ownership Information (BOI) reporting provisions of the CTA proposed rule is designed to protect the US financial system from illicit use and impede malign actors from abusing legal entities, including shell companies, to conceal proceeds of corrupt/criminal acts. Reporting companies (domestic and foreign) ought to make sure that they will be ready to comply with the Final Rule by its effective date of January 1, 2024, to identify the beneficial owners of an entity and the company applicants of an entity. The CTA directs the Secretary of the Treasury to maintain BOI “in a secure, nonpublic database, using information security methods and techniques that are appropriate to protect non-classified information security systems at the highest security level”. To implement this requirement, FinCEN has been developing the Beneficial Ownership Secure System (BOSS) to receive, store, and maintain BOI.
What we know about the BOSS so far directly from the Final Rule (paraphrasing the language in the Final Rule)
- FinCEN expects that BOI reports will be submitted electronically through an online interface but understands there may be certain circumstances in which a reporting company is unable to file through this interface.
- FinCEN is continuing to consider how to address such cases, as well as other modalities for filing through the online interface, such as “batch” filing or other means.
- The BOSS will be secured to a Federal Information Security Management Act “High” compliance level, the highest information security protection level under the Act.
- FinCEN intends to issue proposed regulations governing the disclosure of BOI to authorized recipients and requiring, among other things, that recipients maintain the highest security safeguards practicable.
- As required by the CTA, the proposed regulations will ensure that Treasury has taken all appropriate steps to safeguard BOI and to disclose BOI only for authorized purposes consistent with the CTA.
- FinCEN recognizes the importance of address confidentiality programs in ensuring the safety of victims of domestic violence and other crimes and will consider appropriate guidance or relief to address those situations. As more information may be required regarding the specifics of these programs and the technical specifications of FinCEN’s BOSS, FinCEN will address these matters at a later date.
- FinCEN has adopted the effective date for this final rule based on several practical factors, including, for example, the time needed for secretaries of state and Tribal authorities to understand the new requirements and to update their websites and other documentation to notify reporting companies of their obligations under the CTA; allowing reporting companies, and small businesses in particular, sufficient time to receive notice of and comply with the new rules; and the need for FinCEN to take steps to design and build the BOSS and to work with secretaries of state, Tribal authorities, industry groups and small business, and other stakeholders to ensure a thorough and complete understanding of the rules.
- FinCEN believes that it is reasonable to require reporting companies to certify the accuracy and completeness of their own reports, and it is appropriate to expect that reporting companies will take care to verify the information they receive from their beneficial owners and applicants before they report it to FinCEN.
- While an individual may file a report on behalf of a reporting company, the reporting company is ultimately responsible for the filing. The same is true of the certification. The reporting company will be required to make the certification, and any individual who files the report as an agent of the reporting company will certify on the reporting company’s behalf.
- FinCEN will need to engage intensively with authorized users of the BOSS that will have access to BOI, such as federal, state, local, and Tribal law enforcement authorities, to draft and negotiate memoranda of understanding and access and security agreements for authorized users and to develop standard operating procedures and internal protocols for the adjudication of inquiries relating to reporting and disclosure.
- FinCEN recognizes that a fully operational BOSS that is ready to receive reports from reporting companies is necessary to implement the reporting rule. FinCEN is working expeditiously to complete steps to design and build the BOSS so that it can collect and provide access to BOI. Upon the CTA’s enactment, FinCEN began a process for BOSS program initiation and acquisition planning that has led to the development of a detailed development and implementation plan for the initial BOSS release. Based on this plan, FinCEN has moved expeditiously into the execution phase of the project, which includes several technology projects that will be executed in parallel. The access rule will provide a high-level description of how the BOSS will operate.
- The selected effective date is intended to provide adequate time to complete the BOSS design and development and to secure the necessary appropriations to operate and maintain the BOSS on an ongoing basis. Assuming adequate funding, FinCEN intends for the BOSS to be ready to receive reports and provide access to authorized users by the January 1, 2024, effective date. FinCEN also intends to propose and finalize the rulemaking governing access to BOI by this date.
- FinCEN continues to seek appropriated funds to hire the necessary staff to implement the final rules, conduct outreach to stakeholders, and design and build the BOSS. FinCEN has requested a budget increase in its FY23 budget request to support BOSS operations and maintenance and to hire CTA staff. Absent additional appropriations, FinCEN may need to adjust its implementation and outreach plans.
- While FinCEN expects that it will be able to leverage some existing BSA components, the feedback received throughout the rulemaking process has made clear that the BOSS architecture will be complex to design, build, and maintain. For example, the system of record (or database) for the beneficial ownership data will need to be segregated from the existing BSA system of record, and there will need to be another system of record to store the FinCEN identifier information. There will also need to be a separate user application with individual authentication requirements to perform work necessary to administer the FinCEN identifier. System engineering efforts have occurred simultaneously with the rulemaking process, which has involved significant input from various stakeholder groups with various access and disclosure requirements. This input has made clear to FinCEN that the user access and authentication will be complicated to design and develop.
Compliance can become more complicated
The January 2024 deadline is not far away and the time for Reporting Companies (domestic and international) to prepare is now. The influx of new information coming in will impact due diligence processes and risk assessment for Reporting Companies.
If you are a Reporting Company, will you be ready for the future beneficial ownership information reporting obligations?
Who is your Corporate Governance Expert? ©